The Rise and Fall (and possible Rennaisance) of Healthcare Information Security

Information SecurityThe healthcare IT headlines have been screaming about the lapses and dysfunction of information security. With the reported data breach at UPMC, the reported breach at Cottage Health System last year, the news from Healthcare IT News that “Nashville, TN based Cogent Healthcare also recently reported an incident when a site the organization was using to store patient data had its firewall down, that exposed the PHI of approximately 32,000 patients and the attack recently at Boston Children’s Hospital’s reportedly by the group known as Anonymous, brought to the forefront, the need for a better defense strategy of healthcare’s security infrastructure, protocol & policies across the spectrum.

How many provider CEOs, CIOs, CFOs and VPs of Medical Records think about their organization’s plans for organizational continuity if they should have to defend against hackers or update their infrastructure? H.ow many know of the ability to wipe data off a remote tablet or device? The physicians all want these lighter, “easier to use” devices that can help put in their clinical notes faster and allow them to see their 30 to 40 patients (depending on the physician) a day without lugging around the heavy laptop all day.

I’m sure that not many had really thought about a renowned hacker group trying to hack into and access the medical records of a children’s hospital (until now). I’m quite sure that when sitting in a board room and discussing the investment of time & organizational resources to defend against these possible situations, while it has been taken with the utmost seriousness, the prevailing thinking is “this won’t happen to us” attitude.

Well, it can and it will in this new, cyber age. In Healthcare IT News article, it mentioned  Verizon reported that the majority of data breaches were from the theft or loss of unencrypted devices. Do we need to take healthcare information encryption to a whole new level?

In addition, is two factor authentication enough or do we need to start thinking about multi-factor authentication? When deploying the infrastructure for a healthcare provider in our region we focused on tap badges and deployment of tap badge readers versus fingerprint scans as part of the two factor (something you have, e.g. a badge and something you know, e.g. a password) authentication stipulated by the Ohio Board of Pharmacy requirement. Maybe the time is appropriate to think about a 3rd factor (something that the user is and add their finger print or retina scan…yes, I know, we’re getting into sci-fi realm here). All this will take time to finally get implemented and as costs of security and defense of systems mounts, so will the costs associated with our healthcare. Ohio for instance has probably spent close to a billion dollars taking into account all of the healthcare providers in the state and their implementations over the last few years of EHR and the supporting infrastructure to run it appropriately. This investment will take years to achieve the ROI. Imagine if we need to now, start thinking about further securing our healthcare information and needing new standards for that? Will this kill any push towards the cloud?

While organizations like Microsoft thought this through and are primed for this wave when they acquired Phone Factor in 2012, this latest wave of breaches, penalties and attacks on healthcare infrastructure will surely make more than a few to sit up and take notice, not only about the opportunity to improve in an insightful and cost effective way, but continue to prioritize patient safety through security. With HIPAA notification requirements having become more stringent as of the fall of 2013, care delivery organizations should seriously plan dress rehearsals or “fire drills” to prepare for a new age of information defense. Where’s an “ethical hacker” when you need one?

 

 

Advertisements

The Tide is HIE, but we’re moving on…

CCD Example
CCD Example found online

Ok, so I was a “Blondie” fan in the 80s, I mean, who wasn’t really? During a breakfast meeting with some healthcare leaders on Friday, we discussed the need for an HIE and what it would mean to executive leaders in the region if they pulled out of the local healthcare information exchange when Meaningful Use requires that not only do you need to be interoperable with another healthcare provider organization that has the same electronic health record you have installed, but one that is different from your EHR as well that you can interface with. What is the need for an HIE then if CMS stipulates that you need to do this in order to attest to MU 2 anyway? In a HIMSS document, they mention that while working with Stage 1 objectives and measures, “an organization should keep in mind that future rule making around Stage 2 and Stage 3 requirements will include HIE capabilities”.

Many healthcare IT executives wonder whether it is worth the money to pay an HIE to follow their patients and make sure that CCDs or Continuity of Care Documents can initiate (see the generic example I found on the left). As of now, if my healthcare provider wants me to go to get a blood test, and the lab that I have gone to is the same one close to my house for the last 12 years (currently owned by a different provider in this day and age of acquisitions and integrations), I am happy that half a day after I get my blood drawn, I have the results on my smartphone app. A far cry from when I had to wait for days without knowing the result and that too, if my provider got it, saw it and then mailed it or faxed it to me (or I asked to come in to meet him for an appointment, pay co-pay, review the result with him, he makes a copy and then I took that copy home and filed it in my healthcare folder). Fewer trees cut down, less wait, less suspense. Patient Engagement at it’s finest.

As was noted in a Government Health IT News article, many of the measures in MU stage 3, such as sharing care summaries and care plans, rely on health information exchanges and while exchanging data remains expensive, with the core problem being standards, for data, transport and identification of patients. With underlying costs for long term interface development, support and maintenance remaining high, not to mention safety issues and the inability to have secure data when moving between different standards and processes at each care delivery provider.

We are getting to be more educated about our healthcare as patients and consumers of healthcare and we want to be. I watched CNN’s GPS with Fareed Zakaria on the April 20th episode and he discussed the study in which the US was found to be ranked #16 in terms of Social Progress by noted Harvard scholar (and committed Capitalist Michael Porter). America ranks poorly by a team that Porter has put together. Fascinating GPS episode and a must watch. It takes social aspects, community and your quality of life in a country and captures it in a framework that measures social progress in quantitative terms. In Health and wellness, the US ranks 70th and we spend more money in the world than many other countries. Access to information and communication, we are behind Jamaica at 23. These numbers surprised me. The penetration and access to information (like the mobile telephone subscriptions, we are 83rd) and we do better at access to basic knowledge at 39th (behind Cuba). Something to think about.

 

ICD-10s future and Population Health

US Congress-NightWidely publicized and taking the industry quite by surprise was how someone could slip in the delay of ICD-10 regulatory go live to 2015 through voting on repealing the Sustainable Growth Rate reduction of 24% (aka Doc Fix”).

Now that both the Senate and the House have voted to delay ICD-10 (with no mention of it during the 5 hour debate), the question of gaining better data by capturing, storing and analyzing medical information electronically that could have facilitated better quality of care, improved population-based knowledge and the development of new tools for medicine is up in the air. Project sponsors and stakeholders seem divided about next steps, though being able to complete their planned work effort, now with more flexibility, seems wise as it will be one less “priority #1” that they have to deal with in the future and the costs of transitioning would be less hectic and possibly lower cost if done now.

A few examples are patient medical records, radiological images, clinical trial data, FDA submissions, human genetics and population data. ICD-10 – CM will be instrumental in supporting the healthcare data that is growing exponentially from digitizing existing data and generating new forms of data. HHS and CMS e-health initiatives are key drivers providing pathways for the appropriate people to get access to the data – the problem lists, medication lists, lab orders that were performed and the computer assisted codes (CAC) generated out of all the narrative generated output.

ICD‐10‐based segmentation opportunities assess the health needs of each segment of the patient population with increased accuracy, enhancing each member’s experience by providing additional touch points and addressing gaps in care. ICD‐10 allows advanced engagement, compliance and care management efforts to result in healthier members. Informed allocation of resources for clinical intervention enables significant cost reduction.

ICD-10 will also feed scientific healthcare data for research and population health management. Over time, ICD-10 data would provide more information on disease progression and treatment efficacy. From a high-level perspective, ICD-10 will generate more detailed healthcare data and a greater flow of specific and viable data that improve medical communication, which could contribute to advanced disease protocols and clinical pathways. Predictive modeling is now gaining ground more than ever and while the retail industry has been able to understand their customer’s buying patterns and behavior, so too will healthcare organizations with their patients and payers with their members. ICD-10 data has the potential to yield more information about the quality of care and, as a result, this improved data will support better a understanding of complications, better design of clinically robust algorithms and better accuracy of being able to track of patient outcomes as the codes better describe the gravity of a patient’s illness.

A healthcare leader mentioned reminded me today about a conversation that we had just before the end of last year which was that the delay in ICD-10 was one of the reasons why many healthcare IT executives wait until the last minute to get things accomplished as many times, it does not pay to be a leader in completing your initiatives, and, due to the instability of the political and regulatory climate, being an early adopter of either technology or regulatory mandates doesn’t always pan out. ICD-10 is more reflective of the scientific advances that have occurred in medicine in the last 30 years. ICD-10 has been out since 1994 and we need to adopt it sooner rather than later. Hundreds of millions of dollars have been spent around the country to get ready by October 1st, 2014, which has not seemed to have been understood by the political community in Washington, D.C. While I don’t offer any political viewpoints or advice, I would, on this topic, ask if any of the Congressional leaders understand the immensity of their vote and the sunk costs by healthcare organizations around the country to be ready by October 1st, 2014.  Healthcare advocacy has now taken on a different dimension. Ask your elected officials to Congress why they voted for this and I would like to see what they say. It would be good to find out who added the ICD-10 delay into the final document.

Healthcare’s sign of the times – Big Data, Analytics and Patient Profiling.

To profile or not to profile.Analytics and Big Data are in everything now. They are used for online couponing to analyze your buying patterns, in your (sic) email  and what your likes and dislikes are, in your browser with pop ups and in your social media. It has been in healthcare by the industry leaders, but was going to get more penetration as soon as the industry realized that they would have to get to know their patients through Patient Engagement initiatives as part of Meaningful Use Stage 2 where it is mandated that 5% of patients view, download and transmit their own health data, healthcare provider organizations who are concerned about that percentage of their patient population, can leverage analytics to help drive that engagement. Now that predictive modeling is the hot button topic of our healthcare IT times, I have given a lot of thought towards patient profiling and how that will progress over the years through better ways to collect, transform and present patient engagement data.

Building an enterprise data warehouse within a healthcare delivery organization brings together the many disparate systems that hold data become integrated into a single source of truth for operations, clinicians and the consumers of the data or analytics. The ability and focus now by many in the healthcare ecosystem that the way to progress is through the process of integration of disparate data, much also from legacy systems where the data was never was never clean and easy, but organizations now think that having this data will give them an edge in a newer, more cost conscious care delivery ecosystem

How much of a risk are you really and how effectively can a care dlivery organiation manage their costs and quality of care when dealing with a patient that may have the likelihood of hospitalization and possibly be re-admitted in the near future and a risk to the organization, especially for an ACO?

Physicians have the opportunity to prevent these patient readmissions utilizing profiling techniques that currently, may be exactly what large CPG or retail organizations already do well. Making sure that the ED (Emergency Department) as one of the most expensive locations for care that an organization has the ability to be increasingly efficient without losing the high quality of care that it requires to be for the community. Being able to keep patients away from using the ED’s facilities and be able to have regular ambulatory visits by identifying their conditions or health characterists early on and leverage newer technologies such as tele-health (Ohio HB 123 was recently passed here in Ohio covering just that topic and effective 5.20.2014) can lower the costs for an ED and make the delivery of care more efficient and target care for specific, previously identified patients more pro-actively.

Profiling can allow a physician to help lower the cost of medications that a patient is prescribed by reviewing and substituting equivalent, lower costs medications for the patient based on the information at hand. Medications account for one of the highest areas of healthcare costs today.

I sum up today’s blog post by reminding everyone that whether you work for or are a healthcare provider, a vendor, a professional services firm or a consumer of healthcare services, you have your work cut out for you. My encouragement goes out to everyone as I know and have seen how busy your day to day lives are and I have also seen how EMR teams, reporting and analytics teams and functional managers are tasked with many times doing the seemingly improbable tasks of getting all of the work effort completed in the short time frames that they have and somehow, it all comes together. For those of you in a state (clue, NC) the South East coast, United States who I know have gone Big Bang at all locations with everything live this past Friday morning with your EMR, my hats off to you, for you are one of those teams that have worked countless hours to make the seemingly impossible, seem doable. Collaboration and good team dynamics is the key. Don’t forget that!

Oh, and if you are viewing this from an XP machine after April 8th, well, you better unplug your computer from the internet because Microsoft has stopped supporting XP. Talk to your IS&T team if you are in an organization and think about options for a different platform.